US008527741B2

(12) United States Patent

Bourdon et a].

(10) Patent N0.: (45) Date of Patent:

(56)

US 8,527,741 B2
*Sep. 3, 2013

(54)

SYSTEM FOR SELECTIVELY SYNCHRONIZING HIGH-ASSURANCE SOFTWARE TASKS ON MULTIPLE PROCESSORS AT A SOFTWARE ROUTINE LEVEL

References Cited
U.S. PATENT DOCUMENTS
5,249,188 A * 9/1993 McDonald .................... .. 714/53

5,255,367 A

10/1993 Bruckert et a1.

(75)

Inventors: Albert J. Bourdon, Solana Beach, CA

(Continued)
FOREIGN PATENT DOCUMENTS
EP GB W0 W0 0674262 2399426 WO 2007/006011 WO 2007/006013 A A A2 A2 9/1995 9/2004 1/2007 1/2007

(US); Gary G. Christensen, Vista, CA (US); Michael J. Godfrey, Carlsbad, CA

(Us) (73) Assignee: ViaSat, Inc., Carlsbad, CA (US) (*)

Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35

OTHER PUBLICATIONS

U.S.C. 154(b) by 313 days.

This patent is subject to a terminal dis claimer.

Deconnick, Geert et al., The EFTOS Approach to dependability in embedded Supercomputing, IEEE Transactions on Reality, Mar. 2002, vol. 51, Issue 1, p. 76-90, Posted online Sep. 7, 2002 at:

http://www.esatkuleuven.be/electa/publications/fullteXts/pubi884. pdf.

(21) Appl. N0.: 11/428,508 (22) (65)

Filed: Jul. 3, 2006
Prior Publication Data

(Continued)
Primary Examiner * David J Huisman

(74) Attorney, Agent, or Firm * Kilpatrick Townsend & Stockton LLP

US 2007/0113224 A1

May 17, 2007

(57)

ABSTRACT

Related US. Application Data

(60) Provisional applicationNo. 60/697,071, ?led on Jul. 5,

2005, provisional application No. 60/ 697,072, ?led on Jul. 5, 2005.

A task matching circuit for synchronizing software on a plu rality of processors is disclosed. The task matching circuit includes ?rst and second inputs, an analysis sub-circuit, and an output. The ?rst input is from a ?rst processor con?gured to receive a ?rst software routine identi?er. The second input
is from a second processor con?gured to receive a second

(51) (52) (58)

Int' Cl G06F 9/40

(200601)

software routine identi?er. The analysis sub-circuit deter mines if the ?rst software routine identi?er corresponds with the second software routine identi?er. The output is coupled
to at least one of the ?rst or second processors and indicates when the ?rst and second software routine identi?ers do not correspond One Ofthe ?rst and Second processors is delayed until the ?rst and second software routine identi?ers corre Spend

G06F 11/14 (200601) US Cl USPC ......................................... .. 712/220; 712/229 Field of Classi?cation Search USPC ............. .. 712/15, 43, 220, 227, 229; 714/11,

7 1 4/ 1 2, 797

See application ?le for complete search history.

19 Claims, 7 Drawing Sheets

r144
Status

Lights

01ml f120-1
Processor
First

(1244

1004
,A/

Synchromzer

(112

r108

> 35?:

M12255,
1 f

F132 313311?

s o t

F104 50%" >

t

120-2

124_2

lError

pfjggsnsir

Synchronizer

US 8,527,741 B2
Page 2
(56) References Cited
U.S. PATENT DOCUMENTS
5,751,932 A * 5/1998 Horstet a1. ................... .. 714/12

5,845,060 A *
5,896,523 A * 6,065,135 A *

12/1998 Vrbaetal. ..
4/1999 5/2000

714/12

Extended Search Report mailed on May 27, 2011 for EP Patent Application No. EP 06786507, 7 pages. International Search Report and Written Opinion for PCT/US2006/ 026374 mailed on Apr. 1, 2008, 4 pages. International Search Report and Written Opinion for PCT/US2006/
026376 mailed on Feb. 4, 2008, 7 pages.

Bissett etal. .. . 713/400 Marshall et al. .............. .. 714/11

6,067,633 6,101,255 6,178,244 6,226,742 6,279,119

A A B1 B1 B1

5/2000 8/2000 1/2001 5/2001 8/2001

3/2002 3/2002

Robbins et a1. Harrison etal. Takedaet a1. Jakubowskiet al. Bissett etal.
Barthel et a1. ................ .. 700/82 Esposito et al. ................ .. 711/2

Non-Final Of?ce Action of Aug. 15, 2011 for US. Appl. No. 11/428,505, 12 pages. Notice ofAlloWance ofMay 18, 2010 for US. Appl. No. 11/428,5 16,
8 pages.

Advisory Action of Mar. 8, 2010 for US. Appl. No. 11/428,505, 3

pages.

6,356,795 B1* 6,363,453 B1*

6,363,464 B1
6,434,712 B1*

3/2002 Mangione
8/2002 Urban et al. .................. .. 714/12

6,665,700 B1
7,107,484 B2*

12/2003 Sugisaki et al.

9/2006 Yamazaki et al. ............ .. 714/12

7,802,075 2001/0044912 2003/0039354 2003/0140255 2004/0230729 2005/0021949 2005/0102244 2005/0120218 2007/0113230 2007/0245141

B2 A1 A1 A1 A1 A1 A1 A1 A1 A1

9/2010 11/2001 2/ 2003 7/ 2003 11/2004 1/2005 5/2005 6/ 2005 5/2007 10/2007

Bourdon et al. Francis et a1. Kimble et a1. Ricchetti et al. Ho et al. IZaWa et al. Dickinson et al. EchiZen et al. Bourdon et al. OKeefe et al.

Non-Final Of?ce Action 11/428,505, 12 pages. Non-Final Of?ce Action 11/428,516, 25 pages. Non-Final Of?ce Action 11/428,505, 11 pages. Non-Final Of?ce Action 11/428,516, 23 pages. Non-Final Of?ce Action 11/428,505, 9 pages.

of Dec. 16, 2009 for US. Appl. No. of Nov. 20, 2009 for US. Appl. No.

of May 29, 2009 for US. Appl. No.

of Nov. 19, 2008 for US. Appl. No. of Nov. 17, 2008 for US. Appl. No.

OTHER PUBLICATIONS

Examiner Interview Summary ofAug. 21, 2008 for US. Appl. No. 11/428,516, 4 pages. Non-Final Of?ce Action of May 13, 2008 for US. Appl. No. 11/428,516, 22 pages. Notice ofAlloWance ofJan. 31, 2012 for US. Appl. No. 11/428,505,
17 pages.

Supplementary European Search Report for European Application

No. EP06786509 dated Dec. 16, 2009, 5 pages.

* cited by examiner

US. Patent

Sep. 3, 2013

Sheet 3 of7

US 8,527,741 B2

CLKl r120-1
J

Task_Match Next_Task

r108
Manager >
Task Error

Processor

New_Task

Task_|D(7:O)
CLK
Y

(120-2
J

New_Task

Processor

Task_|D(7:O)

-|-;:1Sk_|\/|at(;h+

Fig. 2A

Kl r120-1
/

Task_Match

f108
>
Task Error

Processor New_Task Task_|D(7:O)

Next_Task

cl-Kl I120'2
New_Task
Task_|D(7:0) Processor 4 Task_Match > Next_Task

Manager _>

Fig. 2B

US. Patent

Sep. 3, 2013

Sheet 4 of7

US 8,527,741 B2

108-1

Processor

New Task
a

CLK

120-2

Task

Error

Manager
.

New Task
a

Processor

108-2

Task_Match

Task

Error

Manager

Fig. 2C

US. Patent

Sep. 3, 2013

Sheet 5 of7

US 8,527,741 B2

( START )
304

v f Receive Interrupt at First & Second

Processors Asynchronously

300

//

r 308
312

ISR Initiates Software Routine

on First & Second Processors

Both Processors Activate New_Task With the First Being Recognized as Master
316

Slave Processor Cycles Through Tasks while Both Processors Wait for Task_Match Before Continuing

l
/

r320
324

Both Processors Execute

Task to Produce Output

Synchronization and/or Buffering of Outputs Before Comparison

Jr
Any Errors

328

Reported

END

Fig. 3

US. Patent

Sep. 3, 2013

Sheet 6 of7

US 8,527,741 B2

( START )

iv
Synchronous Task Initiated

404 ~

400-1

by First Processor

/\/

l
Indicated by New_Task

f 408
' 412

Receive Task_lD from First Processor

Receive Task_lD from Second

Processor Indicated by New_Task

Task Match?

YES
440

420
Activate Next_Task to

v f Assert Task_Match Slgnais

444

Second Processor
424

f
Both Processors Execute Task

v
'

If
tr
( END
A

Receive Task_|D from Second Processor indicated by New_Task

}
All Tasks Reviewed Report Error of Missing Task

r 432

Fig. 4A

US. Patent

Sep. 3, 2013

Sheet 7 on

US 8,527,741 B2

I START I
r 404
v I

Synchronous Task Initiated

4002

by Initiating Processor

/\/

f 408
412

Receive Task_ID from Initiating Processor Indicated by New_Task

v F

Receive Task_ID from Non-Initiating Processor Indicated by New_Task

Task Match?

YES

l
420
Assert Task_Match Signals

{440
r

Non-Initiating Processor
424

Activate Next_Task to
V

l
Both Processors Execute Task

444

Receive Task_ID from Non-Initiating Processor Indicated by New_Task

(
All Tasks Reviewed

432

Report Error of Missing Task

Fig. 4B

US 8,527,741 B2
1
SYSTEM FOR SELECTIVELY SYNCHRONIZING HIGH-ASSURANCE SOFTWARE TASKS ON MULTIPLE PROCESSORS AT A SOFTWARE ROUTINE LEVEL

2
?rst softWare routine identi?er corresponds With the second softWare routine identi?er. The output is coupled to at least
one of the ?rst or second processors and indicates When the ?rst and second softWare routine identi?ers do not corre

This application claims the bene?t of and is a non-provi sional of both US. Provisional Application Ser. No. 60/697, 072 ?led on Jul. 5, 2005; and US. Provisional Application
Ser. No. 60/697,071 ?led on Jul. 5, 2005, Which are both

spond. One of the ?rst and second processors is delayed until the ?rst and second softWare routine identi?ers correspond. Further areas of applicability of the present disclosure Will

become apparent from the detailed description provided here

inafter. It should be understood that the detailed description

and speci?c examples, While indicating various embodi

ments, are intended for purposes of illustration only and are not intended to necessarily limit the scope of the disclosure.
BRIEF DESCRIPTION OF THE DRAWINGS

assigned to the assigner hereof and hereby expressly incor

porated by reference in their entireties for all purposes. This application is related to all of US. patent application Ser. No. 11/428,520, ?led Jul. 3, 2006, entitled TRUSTED CRYPTOGRAPHIC SWITCH; US. patent application Ser. No. 11/428,505, ?led Jul. 3, 2006, entitled TRUSTED CRYPTOGRAPHIC PROCESSOR; and US. patent appli cation Ser. No. 11/428,516, ?led Jul. 3, 2006, entitled SYN CHRONIZED HIGH-ASSURANCE CIRCUITS; Which are all assigned to the assigner hereof and hereby expressly incorporated by reference in their entirety for all purposes.
BACKGROUND

The present disclosure is described in conjunction With the

appended ?gures:
20

FIGS. 1A and 1B depict block diagrams of embodiments of a redundant processing system; FIGS. 2A, 2B and 2C depict block diagrams of embodi ments of a task management circuit interacting With tWo
processors;
FIG. 3 illustrates a ?owchart of an embodiment of a process

This disclosure relates in general to high-assurance pro cessing and, but not by Way of limitation, to redundant cir

25

for aligning processing of some tasks on tWo circuits; and FIGS. 4A and 4B illustrate ?oWcharts of embodiments of a

cuits used in cryptographic processing.

Some cryptosystems today use microprocessors. Often redundancy is used to assure proper operation of the crypto

process for managing task alignment for tWo circuits. In the appended ?gures, similar components and/or fea
tures may have the same reference label. Further, various

components of the same type may be distinguished by fol

30

system. Microprocessors may be implemented redundantly.

To assure they operate in synchronization, the microproces sors may be run in lock-step fashion such that they perform
their execution in unison. Should one processor vary its

loWing the reference label by a dash and a second label that

distinguishes among the similar components. If only the ?rst reference label is used in the speci?cation, the description is
35

operation from the other, a comparison function Would ?nd

the problem.
Under many circumstances, the same processors Working in unison Will eventually drift apart. PoWer conservation cir
cuits can throttle-back sub-circuits to save poWer and/ or pre

applicable to any one of the similar components having the same ?rst reference label irrespective of the second reference label.
DETAILED DESCRIPTION

vent overheating. Interrupts can often be received asynchro

nously. Out-of-order execution can also cause
40

The ensuing description provides preferred exemplary

embodiment(s) only, and is not intended to limit the scope, applicability or con?guration of the disclosure. Rather, the

unpredictability in the processing How of microprocessors.

These and other factors make some microprocessor designs

ensuing description of the preferred exemplary embodi

ment(s) Will provide those skilled in the art With an enabling

unsuitable for lock-step operation. Lock-step designs require circuits that match very closely
to prevent one from getting out of synchronization With
another. Synchronizers are used to align events that occur at different times. Where circuits cannot be matched or are
45

description for implementing a preferred exemplary embodi

ment. It being understood that various changes may be made in the function and arrangement of elements Without depart ing from the spirit and scope as set forth in the appended claims. Referring ?rst to FIG. 1A, a block diagram of an embodi ment of a redundant processing system 100-1 is shoWn. This
embodiment uses tWo processors 120 that synchronize on

changed during repair, the lock-step design may no longer operate in synchronization.
For lock-step operation, the softWare on all mirrored
50

microprocessors must execute together, Which requires the

same softWare execution on the microprocessors. Some soft

occasion for high-assurance tasks, but may be out of synchro

nization at other times When other tasks are being performed. The block diagram is simpli?ed in that only a feW blocks are shoWn that demonstrate high-assurance tasks and a loW-as surance task. A task is any discrete function, routine, snippet, applet, program, or process that can be implemented in soft Ware and/or hardWare. In this example, servicing the input

Ware tasks are appropriate for lock-step operation, While oth ers do not require that level of harmonization. Redundant
execution of all softWare Wastes resources on routines that have no need for harmonization.
55

SUMMARY

In one embodiment, the present disclosure provides a task matching circuit for synchronizing softWare on a plurality of processors is disclosed. The task matching circuit includes ?rst and second inputs, an analysis sub-circuit, and an output. The ?rst input is from a ?rst processor con?gured to receive a ?rst softWare routine identi?er. The second input is from a second processor con?gured to receive a second softWare routine identi?er. The analysis sub-circuit determines if the

60

and output ports is high-assurance, but operating status lights is loW-assurance. When performing high-assurance tasks,
redundant processing is performed Where the results are com pared to assure a match. Even though this embodiment only shoWs tWo redundant sub-circuits, other embodiments could

65

have any number of redundant sub-circuits, e.g., four, six, eight, etc. High-assurance tasks include servicing an input and output ports 112, 104. The input port 112 receives information that is

US 8,527,741 B2
3
redundantly sent to a ?rst processor 120-1 and a second

4
tion. In this embodiment, the tWo processors 120 could be different designs or clocked at different frequencies such that

processor 120-2 for processing. The processing could include

formatting, validity checks, cryptographic processing, etc.

The processors 120 could be of the same or a similar con?gu

lock-step synchronization is not realized. The task managers 108 keep the processors 120 task aligned for some high
assurance tasks despite any differences in the processors 120. Should the task managers 108 disagree at some point, an error

ration. In this embodiment, the clocks for the processors 120

are not synchronized and could run at different speeds. For example, the ?rst processor 120 could run faster or more e?iciently to alloW for extra loW-assurance tasks to be ser

Would be produced. Comparison circuits could, for example,

be used to check the output of the task managers 108. The synchronized task output comparator 132 acts as in FIG. 1A. Referring next to FIG. 2A, a block diagram of an embodi ment of a task management circuit 108 interacting With tWo processors 120 is shoWn. Only a single task manager 108 is used in this embodiment, but other embodiments could use redundant task managers. In this embodiment, the second
processor 120-2 initiates task synchronizations as a master of the process and the ?rst processor 120-1 acts as a slave.

viced such as servicing the status lights 144. When running the same high-assurance tasks, the processors 120 could dis
able further interrupts to avoid one or both processors 120

from Wandering aWay from the current task and risking a loss

of synchronization.
A task manager 108 is used in this embodiment to alloW

coordinating pursuit of high-assurance tasks by ensuring that

each processor performs the shared high-assurance tasks in
the same order. These processors may have other tasks inter

spersed betWeen the shared tasks. One of the processors 120 initiates a high-assurance task and noti?es the task manager 108 Which makes sure the other processor 120 is ready to initiate the same high-assurance task. When both processors 120 are ready, the task manager 108 noti?es both to begin execution. An example can illustrate the task synchronization process. A message is received on the input port and both processors 120 are interrupted to gather and process the message. The ?rst processor 120-1 to execute its interrupt service routine

For a high-assurance task, the second processor 120-2 acti vates the NeW_Task signal. The task manager 108 reads the Task_ID value from the second processor 120-2. Activation
20

of the NeW_Task signal and Writing the Task_ID is coded into

the task routine run on the second processor 120-2. This embodiment uses an eight bit value to indicate the task iden

25

(ISR) Would get to the point of notifying the task manager

108. Presumably, the other processor 120-2 is getting to a

ti?er, but other embodiments could use a 16-bit, 32-bit value or any other sized value. The Task_ID is unique to a particular high-assurance task run on both processors 120. With the Task_ID, the task manager 108 activates the Next_Task signal to ask the ?rst processor 120-1 to indicate the next task queued for execution. The ?rst processor acti

similar point in its respective ISR. The task manager 108

Would hold the ?rst processor 120-1 to Wait for the second processor 120-2. The second processor 120-2 could be

30

vates its NeW_Task signal to indicate validity of a Task_ID. Where there is no match of both Task_IDs, the task manager
108 asks the ?rst processor to move to the next task by

activation of the Next_Task signal. Should the tWo Task_IDs

match or correspond, hoWever, the Task_Match signals are activated. This Would signal to both processors 120 to begin to
35

prompted by the task manager 108 to cycle through all poten

tial tasks until the one indicated by the ?rst processor 120-1 matches. The task manager 108 Would coordinate both pro cessors 120 in beginning to execute the same task. Although

this embodiment does not require lock-step processing of high-assurance tasks, other embodiments could use lock-step

execute the same task indicated by the Task_IDs. If no task match is produced Within a pre-determined time or number of trials, the processor Would discard that task from its queue
and continue in one embodiment.

processing When executing high-assurance tasks.

Although the task manager should assure that both proces
sors 120 Work the same task in the same order, the results can
40

With reference to FIG. 2B, a block diagram of another embodiment of a task management circuit 108 interacting With tWo processors 120 is shoWn. In this embodiment, either
processor can initiate a task synchronization. The ?rst to initiate Would act as the master of the process and the other processor Would act as the slave. The task manager 108 Would Work With the master processor 120 until matching tasks are

be out of time synchronization. Synchronizers 124-1, 124-2

in this embodiment can realign the output from each proces sor and/or reduce the risk of metastability When going from
one clock domain to another. In one embodiment, the syn
45

chronizer 124 for each processor 120 produces results in

synchronization by buffering results from the processor and

aligning those results or forgiving any misalignment. In one embodiment, the task manager 108 could alloW the proces sors 120 coordinate Writing out information such that align ment issues are reduced. This embodiment of the synchro nizer Would still reduce the risk of metastability When
50

found and executed before alloWing another initiation of the task matching process. Alternative embodiments could redundantly implement the task manager 108 and still alloW dynamically assigning the master of the process. Disagree
ment betWeen redundant task managers 108 Would be recog
nized as an error.

With reference to FIG. 2C, a block diagram of an embodi

crossing clock domains.

The compare circuit 132 checks that the results produced after synchronization match before sending a result to the
output port 104. Where there is no match an error is produced and the result is not sent to the output port 104. Some embodi ments of the compare circuit 132 may alloW the results from each synchronizer 124 to be one or more clock cycles out of
55

ment of redundant task management circuits 108 interacting

With tWo processors 120 is shoWn. This embodiment utilizes

redundancy in the task management circuits 108 to provide high-assurance. Both task management circuits 108 compare tasks and report task incrementing and matching tasks to each
other. Where the tWo task managers 108 are not in agreement,

an error is generated. In the depicted embodiment, second

60 processor 120-2 acts as a master and the ?rst processor acts as

sync When performing the comparison Without producing a

error.

a slave in the process of synchronizing execution of a high

With reference to FIG. 1B, a block diagram of another embodiment of a redundant processing system 100-2 is
shoWn. This embodiment has tWo task managers 108 that are

assurance task. The ?rst processor is directly manipulated by the ?rst task manager 108-1, and the second processor is directly manipulated the second task manager 108-2.
65

used to achieve redundancy in the task management function. Each processor 120 responds to its respective task manager 108-1, 108-2, Who then coordinate aligning the task execu

Referring next to FIG. 3, a ?owchart of an embodiment of a process 300 for aligning processing of some tasks on tWo

circuits is shoWn. The depicted portion of the process begins

US 8,527,741 B2
5
in block 304 where the ?rst and second processors 120 receive an interrupt to perform some sort of high-assurance task. Alternatively, the processors 120 could poll a register to determine when a high-assurance task should be initiated. An ISR indicated by the interrupts is started on both processors 120. The two processors 120 may start processing the inter

6
low-assurance tasks for a possible match. The next Task_ID for the second processor 120 is received by the task manager 108 in block 424.
Inblock 428, a determination is made to see if all tasks have

rupts at different times in block 308. Further, processing could be rearranged or interrupted such that both processors
120 are not performing the same actions at the same time.

been presented. This could be done by waiting for the same task to be presented again, by a signal from the processor, or a time delay that would permit review of all tasks. Where all have been reviewed and a match wasnt found, processing
goes from block 428 to block 432 where an error is reported.

In this embodiment, both processors could potentially be the master initiating the task matching process, but only one
is allowed to master the process. Where both activate their

respective New_Task lines simultaneously, the task manager

108 could arbitrarily, randomly or repeatedly pick one of the
two to be the master. In block 312, one or both processors 120

If all the tasks have not been reviewed in block 428, process ing loops back to block 416 to determine if there is a match before further processing as described above. With reference to FIG. 4B, a ?owchart of another embodi ment of a process 400-2 for managing task alignment for two circuits is shown. In this embodiment, both processors 120
can initiate a task check. The initiating processor masters the process and the non-initiating processor is a slave in the

activate the New_Task line and one is recogniZed as master. In block 316, the slave processor 120 is tested to determine if the Task_ID matches with the master processor 120. Where there is no match, the slave processor cycles through tasks as

process. The ?rst processor to identify the high-assurance task and activate the New_Task becomes the initiating pro
20

Next_Task is activated successively. At some point in block 316, Task_Match goes active to indicate that both processors
120 have the same Task_ID at the top of their execution queue.

ces sor. The initiating processor could be chosen in other ways in other embodiments. Speci?c details are given in the above description to pro

With matching Task_IDs, Task_Match signals to both pro

cessors that they should start execution of the high-assurance task in block 320 and produce an output of some sort. The operation of the processors 120 may or may not be in lock
25

vide a thorough understanding of the embodiments. However, it is understood that the embodiments may be practiced with out these speci?c details. For example, circuits may be shown
in block diagrams in order not to obscure the embodiments in

step during execution of the high-assurance task. Some, all or low-priority interrupts may be disabled during execution of the high-assurance task to control the interrupts tolerated.
Synchronization and/or buffering may or may not be done on

unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring
30

the output before comparing the outputs from both processors

120 in block 324. Any errors are handled and reported in block 328.
With reference to FIG. 4A, a ?owchart of an embodiment
35

the embodiments. Also, it is noted that the embodiments may be described as a process which is depicted as a ?owchart, a ?ow diagram, a data ?ow diagram, a structure diagram, or a block diagram.
Although a ?owchart may describe the operations as a

of a process 400-1 for managing task alignment for two

circuits is shown. The circuits may be state machine driven or processor driven, but in this embodiment both circuits use

processors. The depicted portion of the process begins in step

404 where a synchronous or high-assurance task is initiated by a ?rst processor 120. The task manager 108 is told by the ?rst processors activation of the New_Task line to observe the Task_ID value in block 408. The identi?cation of the task
from the second processor is received in block 412. In one
40

sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the opera tions may be re-arranged. A process is terminated when its operations are completed, but could have additional steps not included in the ?gure. A process may correspond to a method,
a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination corresponds to a return of the function to the calling function or the main function.

embodiment, the New_Task line serves to latch the Task_ID into a register of the task manager 108. If operating correctly, both processors have the task ready to execute, but on the second processor, the task may not be at the top of the queue. A test in block 416 determines if the Task_IDs for both
processors match. In some embodiments this could be an

45

Moreover, as disclosed herein, the term storage medium may represent one or more devices for storing data, including

read only memory (ROM), random access memory (RAM), magnetic RAM, core memory, magnetic disk storage medi ums, optical storage mediums, ?ash memory devices and/or other machine readable mediums for storing information. The
50

term machine-readable medium includes, but is not limited

exact match or just that they correspond. For example, one

embodiment may use hexadecimal number for one proces

sors Task_ID and ASCII for the other processors Task_ID.

The task manager 108 would know how to correspond or translate one to the other. Where the Task_IDs correspond, the
55

to portable or ?xed storage devices, optical storage devices, wireless channels, and/or various other mediums capable of storing, containing or carrying instruction(s) and/ or data. Furthermore, embodiments may be implemented by hard

ware, software, scripting languages, ?rmware, middleware,

microcode, hardware description languages, and/or any com bination thereof. When implemented in software, ?rmware,

Task_Match signal is asserted by the task manager 108 and

fed to both processors in block 440. Both processors 120 execute the task inblock 444 to produce some output or result. The processors 120 may or may not act in lock-step.

middleware, scripting language, and/or microcode, the pro

gram code or code segments to perform the necessary tasks
60

Should the tasks not match in block 416, the second pro cessor rotates through its tasks until they do correspond. In

may be stored in a machine readable medium such as a stor

block 420, the Next_Task signal is activated by the task man ager 108. This signal tells the second processor to present the
Task_ID for another task. The second processor may ran domly, sequentially or use some other scheme to present the next task for a possible match. This embodiment presents
65

age medium. A code segment or machine-executable instruc tion may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software pack age, a script, a class, or any combination of instructions, data structures, and/or program statements. A code segment may be coupled to another code segment or a hardware circuit by

tasks thought to be high-assurance ?rst before presenting

passing and/ or receiving information, data, arguments,

US 8,527,741 B2
7
parameters, and/or memory contents. Information, argu ments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory shar

8
the analysis sub-circuit is con?gured to delay the ?rst
processor, and select each of the plurality of second software routine identi?ers in the queue of second software routine identi?ers, without the second pro
cessor executing a second routine corresponding to a

ing, message passing, token passing, network transmission,

etc.

Implementation of the techniques, blocks, steps and means

described above may be done in various ways. For example, these techniques, blocks, steps and means may be imple
mented in hardware, software, or a combination thereof. For

presently selected second software routine identi?er,

until the ?rst software routine identi?er and the pres ently selected second software routine identi?er cor respond to the same routine. 2. The task matching circuit for synchronizing software on the plurality of processors as recited in claim 1, wherein the analysis sub-circuit is con?gured to cause the ?rst processor to perform more software routines than the second processor

a hardware implementation, the processing units may be implemented within one or more application speci?c inte

grated circuits (ASlCs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable
logic devices (PLDs), ?eld programmable gate arrays (FP GAs), processors, controllers, micro-controllers, micropro
cessors, other electronic units designed to perform the func
tions described above, and/or a combination thereof. For a software implementation, the techniques, processes

during normal operation.

3. The task matching circuit for synchronizing software on the plurality of processors as recited in claim 1, wherein the analysis sub-circuit is con?gured to receive an initiation mes
sage from the ?rst processor, and initiate a task check process
20

and functions described herein may be implemented with

modules (e. g., procedures, functions, and so on) that perform

the functions described herein. The software codes may be stored in memory units and executed by processors. The memory unit may be implemented within the processor or
external to the processor, in which case the memory unit can

be communicatively coupled to the processor using various

25

known techniques.
While the principles of the disclosure have been described above in connection with speci?c apparatuses and methods, it is to be clearly understood that this description is made only
by way of example and not as limitation on the scope of the disclosure.
30

to synchronize the ?rst and second processors in executing the ?rst routine. 4. The task matching circuit for synchronizing software on the plurality of processors as recited in claim 1, wherein the output indicates that the ?rst software routine identi?er and the presently selected second software routine identi?er cor respond to the same routine only when the second software routine produces a result that the ?rst software routine also

produces.
5. The task matching circuit for synchronizing software on the plurality of processors as recited in claim 1, wherein the analysis sub-circuit is con?gured to delay at least one of the ?rst and second processors from executing a software routine corresponding to one of the ?rst software routine identi?er and the presently selected second software routine identi?er until the output indicates that the ?rst and second software routine identi?ers correspond to the same routine. 6. The task matching circuit for synchronizing software on the plurality of processors as recited in claim 1, further com prising the ?rst processor and the second processor wherein the ?rst processor operates off a ?rst clock signal different from a second clock signal of the second processor. 7. The task matching circuit for synchronizing software on the plurality of processors as recited in claim 1, wherein the ?rst processor cannot communicate directly with the second processor. 8. The task matching circuit for synchronizing software on the plurality of processors as recited in claim 1, wherein the ?rst software routine identi?er is created from contents of the ?rst routine. 9. The task matching circuit for synchronizing software on the plurality of processors as recited in claim 1, wherein the ?rst processor is a different design from the second processor.

What is claimed is: 1. A task matching circuit for synchronizing software on a

plurality of processors, the task matching circuit comprising:

a ?rst input from a ?rst processor con?gured to receive a ?rst software routine identi?er, wherein one value of the

35

?rst software routine identi?er uniquely identi?es,

based on the one value of the ?rst software routine

identi?er, a ?rst routine to be executed by the ?rst pro cessor, the ?rst routine being one of a plurality of rou

40

tines and comprising a predetermined plurality of soft

ware instructions; a second input from a second processor con?gured to

receive a plurality of second software routine identi?ers from a queue of second software routine identi?ers, wherein: each of the plurality of second software routine identi ?ers uniquely identi?es a corresponding one of a plu

45

rality of second routines to be executed by the second

processor, and each of the second routines is one of the plurality of

50

10. The task matching circuit for synchronizing software

on the plurality of processors as recited in claim 1, wherein the ?rst processor and the second processor execute the same
55

routines and comprises a predetermined plurality of software instructions; an analysis sub-circuit, at least partially embodied in hard
ware, con?gured to compare the ?rst software routine identi?er with each of the plurality of second software routine identi?ers and determine if the ?rst software routine identi?er and a presently compared one of the
second software routine identi?ers correspond to a same

routine, at least partially simultaneously in time. 11. The task matching circuit for synchronizing software
on the plurality of processors as recited in claim 1, wherein

60

routine; and
an output coupled to at least one of the ?rst or second

the analysis sub-circuit is con?gured to determine, for a sub set of a plurality of software routine identi?ers, that the ?rst software routine identi?er and the presently selected second software routine identi?ers correspond, and the analysis sub
circuit does not delay the ?rst processor unless at least one of

processors, wherein: the output indicates when the ?rst software routine iden ti?er and one of the plurality of second software rou tine identi?ers do not correspond to the same routine, and

the ?rst software routine identi?er and the presently selected

second software routine identi?er is one of the subset.
65

12. A high-assurance circuit for coordinating performance

on a plurality of sub-circuits, the high-assurance circuit com

prising:

US 8,527,741 B2
10
a ?rst input from a ?rst sub-circuit con?gured to receive a

13. The high-assurance circuit for coordinating perfor

mance on the plurality of sub-circuits as recited in claim 12,

?rst operation identi?er, Wherein one value of the ?rst operation identi?er uniquely identi?es, based on the one value of the ?rst operation identi?er, a ?rst softWare

Wherein the analysis sub-circuit is con?gured to cause the ?rst sub-circuit to perform more functions than the second

operation comprising a predetermined plurality of soft

Ware instructions to be executed by the ?rst sub-circuit, the ?rst software operation being one of a plurality of

sub-circuit during normal operation. 14. The high-assurance circuit for coordinating perfor
mance on the plurality of sub-circuits as recited in claim 12,

softWare operations;
a second input from a second sub-circuit con?gured to receive a plurality of second operation identi?ers from a

further comprising the ?rst sub-circuit Wherein the ?rst sub

circuit is integral to a processor.

15. The high-assurance circuit for coordinating perfor

mance on the plurality of sub-circuits as recited in claim 14,

queue of second operation identi?ers, Wherein: each of the plurality of second operation identi?ers
uniquely identi?es a corresponding one of a plurality

further comprising the second sub-circuit Wherein the second

sub-circuit comprises a processor.

16. The high-assurance circuit for coordinating perfor

mance on the plurality of sub-circuits as recited in claim 15,

of second softWare operations to be executed by the second sub-circuit, and each of the second softWare operations comprises a pre

Wherein the ?rst sub-circuit operates off a ?rst clock signal different from a second clock signal of the second sub-circuit.

determined plurality of softWare instructions;

an analysis sub-circuit, at least partially embodied in hard Ware, con?gured to compare the ?rst operation identi?er With each of the plurality of second operation identi?ers and determine if the ?rst operation identi?er corre sponds With a presently compared one of the second
20

17. The high-assurance circuit for coordinating perfor

mance on the plurality of sub-circuits as recited in claim 12,

Wherein functionally overlapping operations produce at least

one result in common When given a same set of inputs corre

sponding to the at least one result.

18. The high-assurance circuit for coordinating perfor

mance on the plurality of sub-circuits as recited in claim 12,

operation identi?ers; and

an output coupled to at least one of the ?rst or second
25

Wherein the analysis sub-circuit is con?gured to delay at least

one of the ?rst and second sub-circuits from executing a

sub-circuits, Wherein:
the output indicates When the ?rst operation identi?er and one of the plurality of second operation identi?ers do not correspond to functionally overlapping soft
Ware operations, and
30

softWare operation corresponding to the ?rst operation iden ti?er and the presently selected second operation identi?er until the output indicates that the ?rst operation identi?er and

the analysis sub-circuit is con?gured to delay the ?rst sub-circuit, and select each of the plurality of second operation identi?ers in the queue of second operation
identi?ers, Without the second sub-circuit executing a second softWare operation corresponding to a pres
35

the presently selected second operation identi?er correspond. 19. The high-assurance circuit for coordinating perfor
mance on the plurality of sub-circuits as recited in claim 12,

Wherein the analysis sub-circuit is con?gured to determine,

for a subset of a plurality of operation identi?ers, that the ?rst

and second operation identi?ers correspond, and the analysis

sub-circuit does not delay the ?rst sub-circuit unless at least one of the ?rst operation identi?er and the presently selected second operation identi?er is one of the subset.
* * * * *

ently selected second operation identi?er, until the ?rst operation identi?er and the presently selected second operation identi?er correspond to functionally

overlapping software operations.